Multi-Core Model Checking Alfons Laarman November 14, 2013 ... - - PowerPoint PPT Presentation

Multi-Core Model Checking UNIVERSITY OF TWENTE.

Formal Methods & Tools. Alfons Laarman November 14, 2013

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

State Space Explosion

(LaQuSo project)

An exponential problem

◮ system data ◮ system

components

◮ property size

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 2 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

State Space Explosion

(LaQuSo project)

An exponential problem

◮ system data ◮ system

components

◮ property size

Approach

◮ multi-core model checking

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 2 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

State Space Explosion

(LaQuSo project)

An exponential problem

◮ system data ◮ system

components

◮ property size

Approach

◮ multi-core model checking ◮ Confluence / partial-order reduction ◮ Symbolic techniques (BDD-based and SAT-based) ◮ On-the-fly techniques ◮ Compression techniques

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 2 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Multi-Core Model Checking

Research questions

◮ Can model checking scale (linearly, ideally) on modern

multi-cores? Speedup: SP = Tseq/TP Ideal: SP = P Linear: SP = P/c

10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

dfsfifo

• garp

giop2.nomig i−protocol2 leader5

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 3 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Multi-Core Model Checking

Research questions

◮ Can model checking scale (linearly, ideally) on modern

multi-cores?

◮ Formalisms: plain, timed, stochastic, etc ◮ Properties: Reachability, LTL, CTL, etc

Speedup: SP = Tseq/TP Ideal: SP = P Linear: SP = P/c

10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

dfsfifo

• garp

giop2.nomig i−protocol2 leader5

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 3 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Multi-Core Model Checking

Research questions

◮ Can model checking scale (linearly, ideally) on modern

multi-cores?

◮ Formalisms: plain, timed, stochastic, etc ◮ Properties: Reachability, LTL, CTL, etc

◮ Are our parallel solutions compatible with other techniques?

Speedup: SP = Tseq/TP Ideal: SP = P Linear: SP = P/c

10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

dfsfifo

• garp

giop2.nomig i−protocol2 leader5

+

◮ Partial-order reduction (POR) ◮ Symbolic exploration ◮ On-the-fly techniques ◮ Compression techniques

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 3 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Challenges

Difficulties of parallelism

◮ Correctness of data structures and algorithms

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 4 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Challenges

Difficulties of parallelism

◮ Correctness of data structures and algorithms ◮ Steep memory hierarchies

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 4 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Challenges

Difficulties of parallelism

◮ Correctness of data structures and algorithms ◮ Steep memory hierarchies ◮ Cache coherence protocol

#define B (102410241024) int main (void) { int result = 0; for (int i = 0; i < B; i++) result++; return result; } UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 4 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Challenges

Difficulties of parallelism

◮ Correctness of data structures and algorithms ◮ Steep memory hierarchies ◮ Cache coherence protocol

#define B (102410241024) int main (void) { int result = 0; for (int i = 0; i < B; i++) result++; return result; } #define P 16 static void count (void arg) { int counter = (int ) arg; for (int i = 0; i < B / P; i++) ( counter)++; } int main (void) { pthread t thread[P]; int counters[P] = 0; for (int i = 0; i < P; i++) pthread create (&thread[i], NULL, count, &counters[i]); int result = 0; for (int i = 0; i < P; i++) { pthread join (thread[i], NULL); result += counters[i]; } return result; } UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 4 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Challenges

Difficulties of parallelism

◮ Correctness of data structures and algorithms ◮ Steep memory hierarchies ◮ Cache coherence protocol

#define B (102410241024) int main (void) { int result = 0; for (int i = 0; i < B; i++) result++; return result; } #define P 16 static void count (void arg) { int counter = (int ) arg; for (int i = 0; i < B / P; i++) ( counter)++; } int main (void) { pthread t thread[P]; int counters[P] = 0; for (int i = 0; i < P; i++) pthread create (&thread[i], NULL, count, &counters[i]); int result = 0; for (int i = 0; i < P; i++) { pthread join (thread[i], NULL); result += counters[i]; } return result; } UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 4 / 27

T = 27 T16 = 32

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Challenges

Difficulties of parallelism

◮ Correctness of data structures and algorithms ◮ Steep memory hierarchies ◮ Cache coherence protocol (false sharing)

#define B (102410241024) int main (void) { int result = 0; for (int i = 0; i < B; i++) result++; return result; } #define P 16 static void count (void arg) { int counter = (int ) arg; for (int i = 0; i < B / P; i++) ( counter)++; } int main (void) { pthread t thread[P]; int attribute ((aligned(64))) counters[P] = 0; for (int i = 0; i < P; i++) pthread create (&thread[i], NULL, count, &counters[i]); int result = 0; for (int i = 0; i < P; i++) { pthread join (thread[i], NULL); result += counters[i]; } return result; } UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 4 / 27

T = 27 T16 = 32 T16 = 1.8

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

(Explicit-state) reachability

Problem: find all reachable states from s0 ∈ S using a next-state function: post(S) → 2S A state s ∈ S is a (fixed) K-sized vector: v1,...,vK

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 5 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Static partitioning or shared hash table

Worker 1 Worker 2 Worker 3 Worker 4

Queue Queue Queue Queue

store store store store

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 6 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Static partitioning or shared hash table

Worker 1 Worker 2 Worker 3 Worker 4

Queue Queue Queue Queue

store store store store

Static partitioning X On-the-fly (BFS) ± Scalability (communication

• n queues)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 6 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Static partitioning or shared hash table

Worker 1 Worker 2 Worker 3 Worker 4

Queue Queue Queue Queue

store store store store

Static partitioning X On-the-fly (BFS) ± Scalability (communication

• n queues)

Load balancer Store Worker 1 Worker 2 Worker 4 Worker 3

Queue Queue Queue Queue

Shared hash table ✓ On-the-fly: (pseudo) DFS & BFS ? Scalability

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 6 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Lockless Hash Table: Design

Laarman, van de Pol, Weber [fmcad10]

Main bottlenecks

◮ State store: concurrent access ◮ Graph traversal: Random memory access (bandwidth)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 7 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Lockless Hash Table: Design

Laarman, van de Pol, Weber [fmcad10]

Main bottlenecks

◮ State store: concurrent access ◮ Graph traversal: Random memory access (bandwidth)

Design

◮ Hash memoization ◮ Walking the Line ◮ In-situ locking

|state| data bucket |cache line|

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 7 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2010 (BEEM database)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 8 / 27

SPIN 5.2.4 (NASA/JPL) DiVinE 2.2 (Brno,CZ) LTSmin (shared hash table)

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2010 (BEEM database)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 8 / 27

SPIN 5.2.4 (NASA/JPL) DiVinE 2.2 (Brno,CZ) LTSmin (shared hash table)

Impact

◮ spin model checker . . . . . . . . . . . . . . . [Holzmann’12] ◮ GPU model checking . . . . . . [Sulewski et al ’11,12] ◮ Parallel BDDs. . . . . . .van Dijk, Laarman, van de Pol

[avocs12][pdmc12]

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Reachability

◮ Scalability comes from limiting bandwidth usage ◮ Correctness established with model checker

Explicit state + Compression + POR + On-the-fly Reachability ✓

? ?

✓

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 9 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Reachability

◮ Scalability comes from limiting bandwidth usage ◮ Correctness established with model checker

Explicit state + Compression + POR + On-the-fly Reachability ✓

?

✓ ✓

◮ Partial-order reduction can be computed (state) locally

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 9 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Reachability

◮ Scalability comes from limiting bandwidth usage ◮ Correctness established with model checker

Explicit state + Compression + POR + On-the-fly Reachability ✓ X ✓ ✓

◮ Partial-order reduction can be computed (state) locally ◮ No compression, but states are often very similar due to

locality 3,5,5,4,1,3 3,5,9,3,1,3

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 9 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Recursive indexing

[holzmann 97][blom et al. 08]

5 1 2 1 2 1 2 1 2 1 1 1 2 2 2 1 1 1 1 1 1 6 8 5 6 6 8 5 5 8 4 3 3 4 3 3 4 3 3 4 3 3 5 4 5 5 4 5 5 4 5 5 4 4 4 4 4 4 4 4 4 4 1 4 4 4 5 5 5 6 6 6 3 3 3 3 3 3 5 6 1 1 2 3 3 5 6 8

HK (K − 1) × H2

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 10 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Recursive indexing

[holzmann 97][blom et al. 08]

5 1 2 1 2 1 2 1 2 1 1 1 2 2 2 1 1 1 1 1 1 6 8 5 6 6 8 5 5 8 4 3 3 4 3 3 4 3 3 4 3 3 5 4 5 5 4 5 5 4 5 5 4 4 4 4 4 4 4 4 4 4 1 4 4 4 5 5 5 6 6 6 3 3 3 3 3 3 5 6 1 1 2 3 3 5 6 8

HK (K − 1) × H2

✓ Combinatorial = ⇒ balanced tree (N + 2 √ N + 4 4

• (N)··· ≈ N)

Compresses states of lenght K to almost 2!

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 10 / 27

N √ N √ N

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Recursive indexing

[holzmann 97][blom et al. 08]

5 1 2 1 2 1 2 1 2 1 1 1 2 2 2 1 1 1 1 1 1 6 8 5 6 6 8 5 5 8 4 3 3 4 3 3 4 3 3 4 3 3 5 4 5 5 4 5 5 4 5 5 4 4 4 4 4 4 4 4 4 4 1 4 4 4 5 5 5 6 6 6 3 3 3 3 3 3 5 6 1 1 2 3 3 5 6 8

HK (K − 1) × H2

✓ Combinatorial = ⇒ balanced tree (N + 2 √ N + 4 4

• (N)··· ≈ N)

Compresses states of lenght K to almost 2! X Hard to parallelize (flatliners)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 10 / 27

N √ N √ N

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Parallel Tree Compression

Laarman, van de Pol, Weber [spin11]

Solution

◮ Temporary binary tree structure on stack

3,5,5,4,1,3

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 11 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Parallel Tree Compression

Laarman, van de Pol, Weber [spin11]

Solution

◮ Temporary binary tree structure on stack

3,5,5,4,1,3 3 5 4 1 3,5,5 4,1,3 3,5 4,1

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 11 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Parallel Tree Compression

Laarman, van de Pol, Weber [spin11]

Solution

◮ Temporary binary tree structure on stack ◮ Reuse lockless hash table (merge tables)

4 1 3 5 3,5,5,4,1,3 5 3 3 5 4 1 3,5,5 4,1,3 3,5 4,1

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 11 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Parallel Tree Compression

Laarman, van de Pol, Weber [spin11]

Solution

◮ Temporary binary tree structure on stack ◮ Reuse lockless hash table (merge tables)

4 1 6 5 1 3 3 5 3,5,5,4,1,3 6 5 1 3 3 5 4 1 3,5,5 4,1,3 3,5 4,1

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 11 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Parallel Tree Compression

Laarman, van de Pol, Weber [spin11]

Solution

◮ Temporary binary tree structure on stack ◮ Reuse lockless hash table (merge tables)

4 1 6 5 1 3 3 5 2 5 3,5,5,4,1,3 2 5 6 5 1 3 3 5 4 1 3,5,5 4,1,3 3,5 4,1

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 11 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Parallel Tree Compression

Laarman, van de Pol, Weber [spin11]

Solution

◮ Temporary binary tree structure on stack ◮ Reuse lockless hash table (merge tables) ◮ Incremental updates: (K − 1) → log2(K − 1) lookups

4 1 6 5 1 3 3 5 2 5 3,5,5,4,1,3 3,5,9,4,1,3 2 5 6 5 1 3 3 5 4 1 ? 5 6 9

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 11 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2011 [BEEM database]

Laarman, van de Pol, Weber [spin11]

!"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"##$%&#'($$ )*&+$,*-.#$%&#'($ %&'(&)*+,$-()*.&$/0&12$ 34$15-&$-()*.&$/0&12$ 6$7$8$

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 12 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2011 [BEEM database]

Laarman, van de Pol, Weber [spin11]

!"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"##$%&#'($$ )*&+$,*-.#$%&#'($ %&'(&)*+,$-()*.&$/0&12$ 34$15-&$-()*.&$/0&12$ 6$7$8$

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 12 / 27

(2 integers)

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2011 [BEEM database]

Laarman, van de Pol, Weber [spin11]

!"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"##$%&#'($$ )*&+$,*-.#$%&#'($ %&'(&)*+,$-()*.&$/0&12$ 34$15-&$-()*.&$/0&12$ 6$7$8$

3,5,5,4,1,3 3,5,9,4,1,3 3,5,9,3,2,3

Information theoretical lower bound? ◮ View states as stream of variables: v1

1,...v1 K ,v2 1,...v2 K ,... with |vi j | = 232

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 12 / 27

(2 integers)

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2011 [BEEM database]

Laarman, van de Pol, Weber [spin11]

!"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"##$%&#'($$ )*&+$,*-.#$%&#'($ %&'(&)*+,$-()*.&$/0&12$ 34$15-&$-()*.&$/0&12$ 6$7$8$

3,5,5,4,1,3 3,5,9,4,1,3 3,5,9,3,2,3

1 K K−1 K

Information theoretical lower bound? ◮ View states as stream of variables: v1

1,...v1 K ,v2 1,...v2 K ,... with |vi j | = 232

◮ p(vi

j = vi−1 j

) = K−1

K

and p(vi

j vi−1 j

) = 1

K

(under-estimation)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 12 / 27

(2 integers)

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2011 [BEEM database]

Laarman, van de Pol, Weber [spin11]

!"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"##$%&#'($$ )*&+$,*-.#$%&#'($ %&'(&)*+,$-()*.&$/0&12$ 34$15-&$-()*.&$/0&12$ 6$7$8$

3,5,5,4,1,3 3,5,9,4,1,3 3,5,9,3,2,3

1 K K−1 K

Information theoretical lower bound? ◮ View states as stream of variables: v1

1,...v1 K ,v2 1,...v2 K ,... with |vi j | = 232

◮ p(vi

j = vi−1 j

) = K−1

K

and p(vi

j vi−1 j

) = 1

K

(under-estimation) ◮ Entropy per state: K × H(si

j ) ≈ log2(232) + log2(K) bits ≈ 1 + ǫ integer

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 12 / 27

(2 integers)

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments from 2011 [BEEM database]

Laarman, van de Pol, Weber [spin11]

!"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"##$%&#'($$ )*&+$,*-.#$%&#'($ %&'(&)*+,$-()*.&$/0&12$ 34$15-&$-()*.&$/0&12$ 6$7$8$

3,5,5,4,1,3 3,5,9,4,1,3 3,5,9,3,2,3

1 K K−1 K

Information theoretical lower bound? ◮ View states as stream of variables: v1

1,...v1 K ,v2 1,...v2 K ,... with |vi j | = 232

◮ p(vi

j = vi−1 j

) = K−1

K

and p(vi

j vi−1 j

) = 1

K

(under-estimation) ◮ Entropy per state: K × H(si

j ) ≈ log2(232) + log2(K) bits ≈ 1 + ǫ integer

◮ Halve the root table with Cleary compact hash table [memics11]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 12 / 27

(2 integers)

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Reachability

◮ Scalability from merging tables & incremental updates ◮ Correctness proved by hand

◮ The recursive tree function is an injection [spin11]

Explicit state + Compression + POR + On-the-fly Reachability ✓ ✓ ✓ ✓

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 13 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Reachability

◮ Scalability from merging tables & incremental updates ◮ Correctness proved by hand

◮ The recursive tree function is an injection [spin11]

Explicit state + Compression + POR + On-the-fly Reachability ✓ ✓ ✓ ✓ LTL

? ? ? ?

Still only safety...

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 13 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

LTL The ω-language of the B¨ uchi automaton represents all counter examples [Vardi et Wolper 86]

1 2 3 4 5 6

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 14 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

LTL The ω-language of the B¨ uchi automaton represents all counter examples [Vardi et Wolper 86]

1 2 3 4 5 6

“It is as yet an open problem how a liveness verification algorithm could be generalized to the use of more than two processing cores while retaining a low search complexity.” [Holzmann ’07] “One of the most important open problems of parallel LTL model checking is to design an on-the-fly scalable parallel algorithm with linear time complexity.” [Brim, Barnat et Roˇ ckai ’11]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 14 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Nested Depth-First Search for LTL

[Courcoubetis’93]

procedure DFSblue(s) s.cyan := true for all s’inpost(s) do if ¬t.blue∧¬t.cyan then DFSblue(s’) if accepting(s) then DFSred(s) s.blue := true s.cyan := false procedure DFSred(s) s.red := true for all s’∈post(s) do if t.cyan then ExitCycle if ¬t.red then DFSred(s’)

Nested DFS (NDFS)

◮ Linear time

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 15 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Nested Depth-First Search for LTL

[Courcoubetis’93]

procedure DFSblue(s) s.cyan := true for all s’inpost(s) do if ¬t.blue∧¬t.cyan then DFSblue(s’) if accepting(s) then DFSred(s) s.blue := true s.cyan := false procedure DFSred(s) s.red := true for all s’∈post(s) do if t.cyan then ExitCycle if ¬t.red then DFSred(s’)

Nested DFS (NDFS)

◮ Linear time ◮ DFS itself is likely not

parallelizable

◮ DFS order is a P-complete

problem

◮ We assume: P NC UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 15 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Multi-core Nested Depth-First Search (Principle)

[atva11], [pdmc11], [atva12]

code for worker p:

procedure DFSblue(s,p) s.cyan[p] := true for all s’inshuffle(post(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’,p) if accepting(s) then DFSred(s,p) s.blue := true s.cyan[p] := false procedure DFSred(s,p) s.red[p] := true for all s’∈post(s) do if t.cyan[p] then ExitCycle if ¬t.red[p] then DFSred(s’,p)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 16 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Multi-core Nested Depth-First Search (Principle)

[atva11], [pdmc11], [atva12]

code for worker p:

procedure DFSblue(s,p) s.cyan[p] := true for all s’inshuffle(post(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’,p) if accepting(s) then DFSred(s,p) s.blue := true s.cyan[p] := false procedure DFSred(s,p) s.red[p] := true for all s’∈post(s) do if t.cyan[p] then ExitCycle if ¬t.red[p] then DFSred(s’,p) P1 P2

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 16 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Multi-core Nested Depth-First Search (Principle)

[atva11], [pdmc11], [atva12]

code for worker p:

procedure DFSblue(s,p) s.cyan[p] := true for all s’inshuffle(post(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’,p) if accepting(s) then DFSred(s,p) s.blue := true s.cyan[p] := false procedure DFSred(s,p) s.red[p] := true for all s’∈post(s) do if t.cyan[p] then ExitCycle if ¬t.red[p] then DFSred(s’,p) P1 P2

◮ In reality more synchronization! ◮ Laarman, Wijs et al. [atva11] Laarman et van de Pol [pdmc11] Evangelista, Laarman et al. [atva12]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 16 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Multi-core Nested Depth-First Search (Principle)

[atva11], [pdmc11], [atva12]

code for worker p:

procedure DFSblue(s,p) s.cyan[p] := true for all s’inshuffle(post(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’,p) if accepting(s) then DFSred(s,p) s.blue := true s.cyan[p] := false procedure DFSred(s,p) s.red[p] := true for all s’∈post(s) do if t.cyan[p] then ExitCycle if ¬t.red[p] then DFSred(s’,p) P1 P2

◮ In reality more synchronization! ◮ Laarman, Wijs et al. [atva11] Laarman et van de Pol [pdmc11] Evangelista, Laarman et al. [atva12] ◮ Lemma 4: Blue states have

blue or cyan successors: Blue ⊆

p (Blue ∪ Cyanp).

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 16 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

LTL and Partial-Order Reduction

◮ Scalability due to hash/tree table (linear-time) ◮ Correctness proved by hand [atva11][pdmc11][atva12]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 17 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

LTL and Partial-Order Reduction

◮ Scalability due to hash/tree table (linear-time) ◮ Correctness proved by hand [atva11][pdmc11][atva12]

For partial-order reduction, we need to solve ignoring

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 17 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

LTL and Partial-Order Reduction

◮ Scalability due to hash/tree table (linear-time) ◮ Correctness proved by hand [atva11][pdmc11][atva12]

For partial-order reduction, we need to solve ignoring

◮ For livelocks (⊃ LTL), any unfair cycle is a counter example! ◮ Parallel DFSFIFO Laarman et Farag ´

• [nfm13]

P

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 17 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments: LTL with Partial-Order Reduction

10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

cndfs

• garp

giop2.nomig i−protocol2 leader5 10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

dfsfifo

• garp

giop2.nomig i−protocol2 leader5

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 18 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments: LTL with Partial-Order Reduction

10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

cndfs

• garp

giop2.nomig i−protocol2 leader5 10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

dfsfifo

• garp

giop2.nomig i−protocol2 leader5

Partial-order reductions: LTSmin spin dfsfifo ndfs leader 0.49% 1.15% garp 2.18% 12.73% giop 1.86% 2.42% i-prot 31.83% 41.37%

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 18 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Experiments: LTL with Partial-Order Reduction

10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

cndfs

• garp

giop2.nomig i−protocol2 leader5 10 20 30 40 50

• 10

20 30 40 50

Threads Speedup

dfsfifo

• garp

giop2.nomig i−protocol2 leader5

Partial-order reductions: LTSmin spin dfsfifo ndfs leader 0.49% 1.15% garp 2.18% 12.73% giop 1.86% 2.42% i-prot 31.83% 41.37%

• Max. model size explored in 30 min.

LTSmin DiVinE cores dfsfifo

• wcty

1 12 9 48 15 11 dfsfifo vs owcty + POR [Brim et al ’10]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 18 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Formalism Property Explicit state + Compression + POR + On-the-fly Plain Reachability ✓ ✓ ✓ ✓ LTL ✓ ✓ X ✓ . . . . . Livelocks ✓ ✓ ✓ ✓

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 19 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Formalism Property Explicit state + Compression + POR + On-the-fly Plain Reachability ✓ ✓ ✓ ✓ LTL ✓ ✓ X ✓ . . . . . Livelocks ✓ ✓ ✓ ✓ Timed Reachability

? ? ? ?

LTL

? ? ? ?

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 19 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Timed Automata

States are semi-symbolic: s = d,σ (finite continuous-time abstraction)

Z1 := y − x ≤ 0 ∧ y ≤ 2

y x 2 2

Z2 := Z3 := y − x = 0 ∧ y ≤ 2

y x 2 2

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 20 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Timed Automata

States are semi-symbolic: s = d,σ (finite continuous-time abstraction)

Z1 := y − x ≤ 0 ∧ y ≤ 2

y x 2 2

Z2 := Z3 := y − x = 0 ∧ y ≤ 2

y x 2 2 This introduces a new subsumption relation: s ⊑ s′, iff d = d′ ∧ σ ⊑ σ′

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 20 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Timed Automata

States are semi-symbolic: s = d,σ (finite continuous-time abstraction)

Z1 := y − x ≤ 0 ∧ y ≤ 2

y x 2 2

Z2 := Z3 := y − x = 0 ∧ y ≤ 2

y x 2 2 This introduces a new subsumption relation: s ⊑ s′, iff d = d′ ∧ σ ⊑ σ′ Subsumption is a simulation relation which allows another, dynamic abstraction

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 20 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Timed Automata

Dalsgaard, Laarman, Olesen, Larsen, van de Pol [formats12] ✓ For reachability, we implemented a lockless multi-map [format12]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 21 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Timed Automata

Dalsgaard, Laarman, Olesen, Larsen, van de Pol [formats12] ✓ For reachability, we implemented a lockless multi-map [format12]

s0 s1 s2 s3 ⊒ UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 21 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Timed Automata

Dalsgaard, Laarman, Olesen, Larsen, van de Pol [formats12] ✓ For reachability, we implemented a lockless multi-map [format12]

s0 s1 s2 s3 ⊒

X Subsumption does not preserve B¨ uchi emptiness! [Tripakis’09]

s0 s1 s2 s3 ⊒

Timed abstraction

s0 s2 s3 s1

s3 ⊑ s1

s0 s1 s2

subsumption

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 21 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Analysis of accepting cycles/spirals with subsumption

Laarman, Olesen, Dalsgaard, Larsen, van de Pol [cav13]

Lemma: If s has an accepting cycle then any s′ ⊒ s has it as well

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 22 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Analysis of accepting cycles/spirals with subsumption

Laarman, Olesen, Dalsgaard, Larsen, van de Pol [cav13]

Lemma: If s has an accepting cycle then any s′ ⊒ s has it as well

s’ s t

Preservation of accepting cycles Proof Sketch s′ s t t ⊑ →∗ →+

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 22 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Analysis of accepting cycles/spirals with subsumption

Laarman, Olesen, Dalsgaard, Larsen, van de Pol [cav13]

Lemma: If s has an accepting cycle then any s′ ⊒ s has it as well

s’ t’ t’’ s t

Preservation of accepting cycles Proof Sketch s′ s t t ⊑ →∗ →+ t′ t′′ →∗ →+ ⊑ ⊑

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 22 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Analysis of accepting cycles/spirals with subsumption

Laarman, Olesen, Dalsgaard, Larsen, van de Pol [cav13]

Lemma: If s has an accepting cycle then any s′ ⊒ s has it as well

s’ t’ t’’ s t t’’’

Preservation of accepting cycles Proof Sketch s′ s t t ⊑ →∗ →+ t′ t′′ →∗ →+ ⊑ ⊑ ······ ······ t′′′ t →+ →+ →+ →+ ⊑

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 22 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Analysis of accepting cycles/spirals with subsumption

Laarman, Olesen, Dalsgaard, Larsen, van de Pol [cav13]

Lemma: If s has an accepting cycle then any s′ ⊒ s has it as well

s’ t’ t’’ s t t’’’

Preservation of accepting cycles Proof Sketch s′ s t t ⊑ →∗ →+ t′ t′′ →∗ →+ ⊑ ⊑ ···x ··· ······ t′′′ t →+ →+ →+ →+ ⊑ x t →+ →+ ⊑

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 22 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Analysis of accepting cycles/spirals with subsumption

Laarman, Olesen, Dalsgaard, Larsen, van de Pol [cav13]

Lemma: If s has an accepting cycle then any s′ ⊒ s has it as well

s’ t’ t’’ s t t’’’

Preservation of accepting cycles Proof Sketch s′ s t t ⊑ →∗ →+ t′ t′′ →∗ →+ ⊑ ⊑ ···x ··· ······ t′′′ t →+ →+ →+ →+ ⊑ x t →+ →+ ⊑ Lemma: If t′ has an accepting spiral then t′ has an accepting cycle

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 22 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Results with Parallel Timed Reachabilty / LTL

Laarman, Olesen, Dalsgaard, Larsen, van de Pol [cav13][formats2012]

◮ Add full LTL to timed automata ◮ Runtimes 60x faster than UPPAAL on 48 cores ◮ Up to 70x reductions due to subsumption ◮ Tree compression for large discrete states

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 23 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

LTSmin

LTSmin Blom, van de Pol, Weber [cav09]

http://fmt.cs.utwente.nl/tools/ltsmin/ (open source)

Pins2pins mCRL2 Promela DVE UPPAAL Symbolic Specification

PINS PINS

Distributed Multi−core Languages Tools Reachability reduction Partial−order Variable reordering Transition grouping caching Transition Wrappers

Other work

◮ Guard-based POR . . . . .Pater, Laarman, van de Pol [spin13] ◮ promela formalism . . . . van der Berg et Laarman [pdmc12] ◮ LTSmin tool . . . . . . . . . . Laarman, Weber, van de Pol [nfm11]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 24 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Contributions

Formalism P r

• p

e r t y E x p l i c i t s t a t e + C

• m

p r e s s i

• n

+ P O R + O n

• t

h e

• fl

y publications Plain Reachability ✓ ✓ ✓ ✓ [fmcad10][spin11][memics11] LTL ✓ ✓

1/2 ✓

[atva11][pdmc11][atva12] . . . . Livelocks ✓ ✓ ✓ ✓ [spin13][nfm13] Timed Reachability ✓ ✓ – ✓ [formats12] LTL ✓ ✓ – ✓ [cav13]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 25 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Contributions

Formalism P r

• p

e r t y E x p l i c i t s t a t e + C

• m

p r e s s i

• n

+ P O R + O n

• t

h e

• fl

y S y m b

• l

i c publications Plain Reachability ✓ ✓ ✓ ✓ ✓ [fmcad10][spin11][memics11] LTL ✓ ✓

1/2 ✓ ?

[atva11][pdmc11][atva12] . . . . Livelocks ✓ ✓ ✓ ✓

?

[spin13][nfm13] Timed Reachability ✓ ✓ – ✓

?

[formats12] LTL ✓ ✓ – ✓

?

[cav13]

Other work ◮ Multi-core BDDs . . . . . . . . . . . . . . . . . . . . . . . . .van Dijk, Laarman, van de Pol [pdmc12]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 25 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Contributions

Formalism P r

• p

e r t y E x p l i c i t s t a t e + C

• m

p r e s s i

• n

+ P O R + O n

• t

h e

• fl

y S y m b

• l

i c publications Plain Reachability ✓ ✓ ✓ ✓ ✓ [fmcad10][spin11][memics11] LTL ✓ ✓

1/2 ✓ ?

[atva11][pdmc11][atva12] . . . . Livelocks ✓ ✓ ✓ ✓

?

[spin13][nfm13] Timed Reachability ✓ ✓ – ✓

?

[formats12] LTL ✓ ✓ – ✓

?

[cav13]

Other work ◮ Multi-core BDDs . . . . . . . . . . . . . . . . . . . . . . . . .van Dijk, Laarman, van de Pol [pdmc12] ◮ One-Way-Catch-Them Young (LTL). . . . . . . . . . . . . . . . . . . . . .[Barnat,Brim,Roˇ ckai’01] ◮ Topological sort proviso (POR) . . . . . . . . . . . . . . . . . . . . . . . . . . [Barnat,Brim,Roˇ ckai’10] ◮ CTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [Saad et al’12]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 25 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Future work

Formalism Property Explicit state + Compression + POR + On-the-fly Plain Reachability ✓ ✓ ✓ ✓ LTL ✓ ✓

1/2 ✓

Timed Reachability ✓ ✓ – ✓ LTL ✓ ✓ – ✓

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 26 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Future work

Formalism Property Explicit state + Compression + POR + On-the-fly Plain Reachability ✓ ✓ ✓ ✓ LTL ✓ ✓

1/2 ✓

CTL

? ? ? ?

Timed Reachability ✓ ✓ – ✓ LTL ✓ ✓ – ✓ CTL

? ? ? ?

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 26 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Future work

Formalism Property Explicit state + Compression + POR + On-the-fly Symbolic Distributed Plain Reachability ✓ ✓ ✓ ✓ ✓

?

LTL ✓ ✓

1/2 ✓ ? ?

CTL

? ? ? ? ? ?

Timed Reachability ✓ ✓ – ✓

? ?

LTL ✓ ✓ – ✓

? ?

CTL

? ? ? ? ? ?

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 26 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Future work

Formalism Property Explicit state + Compression + POR + On-the-fly Symbolic Distributed Plain Reachability ✓ ✓ ✓ ✓ ✓

?

LTL ✓ ✓

1/2 ✓ ? ?

CTL

? ? ? ? ? ?

Timed Reachability ✓ ✓ – ✓

? ?

LTL ✓ ✓ – ✓

? ?

CTL

? ? ? ? ? ?

Stoch. Reachability

? ? ? ? ? ?

LTL

? ? ? ? ? ?

CTL

? ? ? ? ? ?

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 26 / 27

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ...

Future work

Formalism Property Explicit state + Compression + POR + On-the-fly Symbolic Distributed Plain Reachability ✓ ✓ ✓ ✓ ✓

?

LTL ✓ ✓ ✓ ✓

? ?

CTL

? ? ? ? ? ?

Timed Reachability ✓ ✓ – ✓

? ?

LTL ✓ ✓ – ✓

? ?

CTL

? ? ? ? ? ?

Stoch. Reachability

? ? ? ? ? ?

LTL

? ? ? ? ? ?

CTL

? ? ? ? ? ?

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 26 / 27

Other questions

◮ Can our parallel DFS-based solutions be generalized?

◮ (Bottom-)SCC detection ◮ Emptiness of {Tree,Rabin,Streett} automata, etc. ◮ What search-order property is preserved?

... Introduction Reachability LTL Timed Automata LTSmin Conclusions ... UNIVERSITY OF TWENTE. Multi-Core Model Checking November 14, 2013 27 / 27

... Introduction Reachability LTL Timed Automata Conclusions ...

Static partitioning or shared hash table

[fmcad10]

Static partitioning X On-the-fly (BFS) ± Scalability (communication

• n queues)

Shared hash table 3 On-the-fly: (pseudo) DFS & BFS ? Scalability

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 5, 2013 7 / 26 ... Introduction Reachability LTL Timed Automata Conclusions ...

Recursive indexing

[holzmann 97][blom et al. 08]

5 1 2 1 2 1 2 1 2 1 1 1 2 2 2 1 1 1 1 1 1 6 8 5 6 6 8 5 5 8 4 3 3 4 3 3 4 3 3 4 3 3 5 4 5 5 4 5 5 4 5 5 4 4 4 4 4 4 4 4 4 4 1 4 4 4 5 5 5 6 6 6 3 3 3 3 3 3 5 6 1 1 2 3 3 5 6 8

HK (K − 1) × H2

3 Combinatorial = ) balanced tree (N + 2 p N + 4 4 p (N)··· ≈ N) Compresses states of lenght K to almost 2! X Hard to parallelize (flatliners)

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 5, 2013 11 / 26 ... Introduction Reachability LTL Timed Automata Conclusions ...

Experiments from 2011 [BEEM database]

[spin11]

!"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"!#$ !"#!$ #"!!$ #!"!!$ #!!"!!$ !"##$%&#'($$ )*&+$,*-.#$%&#'($ %&'(&)*+,$-()*.&$/0&12$ 34$15-&$-()*.&$/0&12$ 6$7$8$

h3,5,5,4,1,3i h3,5,9,4,1,3i h3,5,9,3,2,3i

K−1 K

Information theoretical optimum? I View states as K-periodic stream of 232-valued variables I Information entropy per state: log2(232) + log2(K) bits ≈ 1 + integer I Halve root table with compact hash table [memics11]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 5, 2013 13 / 26 ... Introduction Reachability LTL Timed Automata Conclusions ...

Contributions

Formalism Property Explicit state + Compression + POR + On-the-fly Symbolic publications Plain Reachability 3 3

1/2 3 3

[fmcad10][spin11][memics11] LTL 3 3

1/2 3 ?

[atva11][pdmc11][atva12] . . . . Livelocks 3 3 3 3

?

[spin13][nfm13] Timed Reachability 3 3 – 3

?

[formats12] LTL 3 3 – 3

?

[cav13]

Related work I Multi-core BDDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [pdmc13(1)] I One-Way-Catch-Them Young (LTL). . . . . . . . . . . . . . . . . . . . . .[Barnat,Brim,Roˇ ckai’01] I Topological sort proviso (POR) . . . . . . . . . . . . . . . . . . . . . . . . . . [Barnat,Brim,Roˇ ckai’10] I CTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [Saad et al 12]

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 5, 2013 24 / 26 ... Introduction Reachability LTL Timed Automata Conclusions ...

Multi-core Nested Depth-First Search (Principle)

[atva11][pdmc11][atva12] code for worker p:

procedure DFSblue(s,p) s.cyan[p] := true for all s’inshuffle(post(s)) do if ¬s’.blue∧¬t.cyan[p] then DFSblue(s’,p) if accepting(s) then DFSred(s,p) s.blue := true s.cyan[p] := false procedure DFSred(s,p) s.red[p] := true for all s’∈post(s) do if t.cyan[p] then ExitCycle if ¬t.red[p] then DFSred(s’,p) Multi-core NDFS

I States in shared tree/table I Independent forward search I Share blue color I repair DFS order (not shown)

P1 P2

UNIVERSITY OF TWENTE. Multi-Core Model Checking November 5, 2013 17 / 26